For the past week, something strange has been going on in the European internet. For five days, web traffic from Texas to certain addresses in the UK has been routed through Ukrainian and Russian telecoms, taking a detour thousands of miles out of the way. Network traffic often takes a circuitous route as a result of network congestion or interconnection difficulties, but neither one would be enough to account for these routes. Instead, this was the result of a bad route announced by Ukraine's Vega telecom, inserting itself in between. "At this point, I have to believe this was an innocent mistake by Vega," said Dyn's Doug Madory, who first discovered the redirection, "but it's concerning nonetheless."
"At this point, I have to believe this was an innocent mistake."
This phenomenon is known as "route hijacking," and it's a common security concern for network engineers and security researchers alike. It's particularly disconcerting because of the sensitive nature of many of the sites involved. Among the dozens of sites involved was the UK's Atomic Weapons Establishment, which is tasked with managing and delivering the UK's nuclear warheads, as well as the UK's official mail service, the Royal Mail. US defense contractor Lockheed Martin was also running a VPN connection that was caught up in the redirection.
VPN traffic would have been encrypted, as well as almost all email traffic, but anyone listening in on email traffic would have been able to read the IP addresses of the parties involved. Even worse, any site serving data over unencrypted HTTP would have been entirely in the clear, and potentially exposed to injection attacks by a malicious third party with access to an intermediate network. (Both AWE and Royal Mail serve their sites over unencrypted HTTP.) Because of the public nature of the routing table, it's easy to see exactly when and how the route hijacking occurred, but why is still a mystery, and we can't say for sure whether any data was altered in transit.
It's still likely that the redirection was simply an innocent error, but it underscores the insecure nature of the global routing system. While much of the web has grown more wary of digital attack, routing is still based on trust, with networks freely announcing routes and friendly telecoms adopting them as a matter of habit. As a result, inefficient and potentially insecure routes like this one can linger for days without being corrected, without the parties involved ever being aware of them.
The full traceroute is below, with the Ukrainian telecom visible at line 11 and Russian interconnection at 12 and 13:
trace from Houston, TX to Atomic Weapons Establishment at 03:22 Mar 12, 2015
2 22.214.171.124 ae12.dar02.sr02.hou02.networklayer.com 2.948
3 126.96.36.199 ae9.bbr02.sr02.hou02.networklayer.com 0.3
4 188.8.131.52 ae3.bbr02.eq01.dal03.networklayer.com 8.133
5 184.108.40.206 ae1.bbr01.tl01.atl01.networklayer.com 28.524
6 220.127.116.11 ae0.bbr01.eq01.wdc02.networklayer.com 42.033
7 18.104.22.168 ae7.bbr02.eq01.wdc02.networklayer.com 40.167
8 22.214.171.124 ae0.bbr01.eq01.ams02.networklayer.com 118.838
9 126.96.36.199 ae0.bbr02.xn01.fra01.networklayer.com 124.983
10 188.8.131.52 ae7.bbr01.xn01.fra01.networklayer.com 124.133
11 184.108.40.206 edge-3-2-5-231.kiev.ucomline.net 154.988
12 220.127.116.11 ae2-241.RT.NTL.KIV.UA.retn.net 155.174
13 18.104.22.168 ae2-10.RT.TC2.LON.UK.retn.net 158.221
14 22.214.171.124 linx1.ukcore.bt.net 161.442
15 126.96.36.199 (BTnet inter-pop routes, GB) 166.986
16 188.8.131.52 core1-pos1-1.birmingham.ukcore.bt.net 163.205
17 184.108.40.206 vhsaccess1-pos7-0.birmingham.fixed.bt.net 164.139
18 220.127.116.11 (Atomic Weapons Establishment, GB) 177.4